search

code-423n4 / 2021-05-visorfinance-findings

0 stars 0 forks source link

Wrong TimeLockERC20 event emitted #45

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

Vulnerability Details

The Visor.timeLockERC721 function emits the TimeLockERC20 event but should emit TimeLockERC721 instead.

Impact

It allows tricking the backend into registering ERC20 token transfers that never happened which could lead to serious issues when something like an accounting app uses this data.

Recommended Mitigation Steps

Emit the correct event.

ghost commented 3 years ago

sponsor confirmed severity disputed 1 Severity in relative to client context. There is no current context in which this is high severity, though it is blatant and its issue appreciated. We will be updating

ghoul-sol commented 3 years ago

Agree with sponsor. Even though it’s obviously wrong event, there is no obvious high security risk here.

ztcrypto commented 3 years ago

patch link